Posted by: David Harley | October 13, 2018

Krebs/Sager interview on supply chain security

Further to the Bloomberg reports previously mentioned here, here’s a fascinating article from Brian Krebs, featuring an interview with Tony Sager. Not at all Apple-specific, but essential reading.

Supply Chain Security 101: An Expert’s View

“Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.”

David Harley

Posted by: David Harley | October 11, 2018

Chinese iPhone users – Apple IDs compromised

Technode: Hundreds of Chinese iPhone users are believed to have had their Apple IDs compromised – “Over 700 Chinese iPhone users have inexplicably had money deducted from their Apple ID-bound payment channels, with the highest being RMB 10,000 ($1,440), according to local media.”

David Harley

Posted by: David Harley | October 11, 2018

Another Bloomberg report, another supply-chain issue

In a story from 9th October, Bloomberg tells us of New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom.

“A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.”

The tampering described differs from that in Bloomberg’s previous report. This one describes an ‘implant’ in a server’s Ethernet connector. The communications company has not been named, but the report is based on information from Yossi Appleboum, described as “co-chief executive officer of Sepio Systems”, who suggests that this approach to snooping has been seen in other equipment supplied by China, while Bloomberg compares it to manipulations used by the NSA.

Commentary from The Verge: Tampered Chinese Ethernet port used to hack ‘major US telecom,’ says Bloomberg report.

Whatever the truth is of this story, it seems to go far beyond Apple, so also published on the AVIEN blog.

David Harley

Posted by: David Harley | October 10, 2018

Android, iOS, and macOS issues

Pierluigi Paganani: Hackers can compromise your WhatsApp account by tricking you into answering a video call

The Register:  Rap for WhatsApp chat app chaps in phone-to-pwn security nap flap – “Memory corruption flaw present in Android, iOS builds. Aaand it’s been fixed”

Further to this story: Intel Management Mode – Apple didn’t lock

Thomas Claburn for The Register: Intel’s commitment to making its stuff secure is called into question – ‘In an email to The Register in response to our report about the problems posed by the Manufacturing Mode in Intel’s Management Engine (ME), which if left open leaves processors vulnerable to local attack, Kanthak called Intel’s statement “a blatant lie.”‘

MacRumors: Apple Releasing iOS 12.0.1 With Fixes for Wi-Fi 2.4GHz Bug, Lightning Charging Issue [Update: Now Available]

The Register: Pixel 3, 3XL, Slate tab launch: Google emits swanky iPad botherer while tarting up mobes – “The day after Google confessed to almost exposing the private data of hundreds of thousands of Google+ accounts to app developers, the ad giant unveiled perhaps the most-leaked phone in recent memory.”

David Harley

Posted by: David Harley | October 10, 2018

More commentary on China, Apple, and supply-chain hacking

Following up the previous story Supply chain hacking: bull in a China shop? [updated]

[Additional: Motherboard – The Cybersecurity World Is Debating WTF Is Going on With Bloomberg’s Chinese Microchip Stories]

Paul Ducklin for Sophos: Apple and Amazon hacked by China? Here’s what to do (even if it’s not true) – more useful than most of the commentary I’ve seen!

The Register: Chinese Super Micro ‘spy chip’ story gets even more strange as everyone doubles down – “Bloomberg puts out related story while security experts cast doubt on research and quotes” Risky Business Feature: Named source in “The Big Hack” has doubts about the story See also commentary by John Gruber.

Reuters: Apple tells Congress it found no signs of hacking attack – John Gruber adds Here’s the entire letter.

Department of Homeland Security: Statement from DHS Press Secretary on Recent Media Reports of Potential

Supply Chain Compromise – “Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. ”

Well, that’s reassuring. Or is it? Well, not for John Gruber: “For me, having the current U.S. government weighing in publicly on this issue does not fill me with any sense of confidence or reassurance on either side of this story….” Me neither. And I’m not reassured by the equally lukewarm commentary from the UK, either. Reuters: UK cyber security agency backs Apple, Amazon China hack denials

So still waiting to see if Bloomberg has something more definite to back its claims.

Commentary from Graham Cluley: Department of Homeland Security and GCHQ back Apple and Amazon’s denials they were hacked by China

And Richard Chirgwin for The Register: Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials – “Officials: Not saying Bloomberg was wrong, we just believe biz saying Bloomberg was wrong”

David Harley

Older Posts »